CCPA's HR, B2B exemptions to expire in 2023

Employers must be mindful of employees' data, says California law firm

CCPA's HR, B2B exemptions to expire in 2023

HR exemptions and B2B exemptions under the California Consumer Privacy Act (CCPA) will expire by the start of 2023, as this year’s legislative session ended without lawmakers making these provisions permanent.

This leaves CCPA-regulated businesses four months to comply with the full spectrum of the CCPA’s requirements as applied to HR and B2B data.

Now, employers must put forward compliance efforts that address personal information of a broad scope of Californians from whom businesses collect personal information, according to one lawyer. These include:

  • job applicants, employees, non-employee staff, independent contractors, advisers, directors, owners and shareholders
  • contacts at current and prospective business customers, vendors and partners
  • B2B website visitors
  • business leads and contacts purchased or obtained from third-party sources
  • event attendees and office visitors
  • business email correspondents
  • most other individuals in human resources information systems, customer relationship management and contact management systems

“Given the breadth of the individuals in scope, and the volume of data that businesses collect about them, extending compliance measures required by the CCPA to HR and B2B data entails a significant level of effort,” said Adam Connolly, partner at California-based international law firm Cooley. “In particular, gathering, reviewing and producing the large volume of personal information that employers maintain about employees can be a difficult task.”

Connolly also noted that the full scope of the law will now apply to employers. Under the legislation, employers must give privacy notices to personnel, job applicants and business contacts.

Employers must also honor requests from personnel, job applicants and business contacts to exercise their rights under the CCPA, including rights to:

  • know how their personal information is used and shared
  • access a copy of the personal information
  • delete personal information they provided
  • correct personal information
  • opt out of certain uses and sharing of personal information, including any sale of personal information, sharing of personal information for behavioral advertising purposes or use of sensitive personal information for certain purposes
  • exercise rights free of discrimination

Employers will also be required to ensure that vendors with access to HR or B2B data are subject to specific contractual data-use prohibitions necessary to qualify them as “service providers” or “contractors”, and that granting such access does not constitute restricted “selling” or “sharing” of personal information from which Californians can opt out.

Businesses must also ensure third parties to whom HR or B2B data is sold, or with whom it is shared for behavioral advertising purposes, are subject to contractual obligations specified in the CPRA.

“California employees already have a right to their personnel records under Section 1198.5 of the California Labor Code but the CCPA will substantially enlarge the scope of personal information to which employees are entitled,” said Connolly. “Businesses should also be mindful that employees, job applicants and other individuals may be able to leverage their CCPA rights to access information that is helpful to them in disputes without having to initiate litigation and discovery.”

In April, more than eight million Cash App Investing customers may have had personal data compromised after a former employee downloaded internal reports without permission, parent company Block Inc. revealed in a regulatory filing. Block said it was reaching out to roughly 8.2 million current and former customers about the incident.

The company continues to “review and strengthen administrative and technical safeguards to protect information,” Danika Owsley, a spokesperson for Cash App, told CNN Business.